WO2020027159A1 - Dispositif de traitement d'informations, programme et procédé de vérification - Google Patents

Dispositif de traitement d'informations, programme et procédé de vérification Download PDF

Info

Publication number
WO2020027159A1
WO2020027159A1 PCT/JP2019/029907 JP2019029907W WO2020027159A1 WO 2020027159 A1 WO2020027159 A1 WO 2020027159A1 JP 2019029907 W JP2019029907 W JP 2019029907W WO 2020027159 A1 WO2020027159 A1 WO 2020027159A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
version
setting
setting file
file
Prior art date
Application number
PCT/JP2019/029907
Other languages
English (en)
Japanese (ja)
Inventor
剛 永吉
雄一 小松
亮太 佐藤
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to EP19845230.2A priority Critical patent/EP3812939B1/fr
Priority to CN201980049031.7A priority patent/CN112513849A/zh
Priority to AU2019313886A priority patent/AU2019313886B2/en
Priority to US17/263,517 priority patent/US12026258B2/en
Publication of WO2020027159A1 publication Critical patent/WO2020027159A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • the present invention relates to an information processing device, a verification method, and a verification program.
  • access control is performed by an operating system (OS) in order to ensure the integrity of setting data.
  • OS operating system
  • the OS provides an access control mechanism for AP programs and files.
  • Authority that only a user or a program having authority can update the setting file can be given by the function of the OS.
  • the OS operates properly, the authorized AP program operates properly, and the user appropriately sets the authority, when the AP program refers to the setting data, the integrity of the setting data is Can be considered protected.
  • a technology for confirming the integrity of a startup program using a security module such as a TPM (Trusted Platform Module) in an information processing device is known.
  • This technique can confirm the integrity of programs such as firmware and a kernel executed in a process until the OS is started, but is added to a program executed before the OS is started. It cannot be used from an AP program executed later. That is, the security module cannot be used to confirm the integrity of the setting file only by the AP program executed after the OS is started.
  • the security module has an access control mechanism independent of the OS, records the version number of the program, and refers to the version number, and increases the version number under the authority set by the access control mechanism ( Version upgrade).
  • the security module has tamper resistance, and it is physically very difficult to execute operations other than the above operations on the version number.
  • the program is executed in the order of the firmware in the read-only area (read-only firmware), the firmware that can be upgraded (read-write firmware), the kernel, and the programs and services constituting the OS until the OS is started. .
  • the previously executed program checks the version of the next program and the version number recorded on the security chip, and executes the next program if the version is correct.
  • the access control mechanism of the security module has a mechanism for determining an access right of a program executed before the OS of the information processing apparatus is started (pre-OS @ environment). Only the program (firmware before OS startup) can update the version number.
  • the conventional technology has a problem that the application program cannot properly confirm the integrity of the setting data without depending on the OS.
  • the authority is appropriately set for all programs and files operating on the OS, and all the programs and files to which the privilege has been assigned are tampered with. Only when the privileged user who uses the information processing device satisfies the condition that passwords for exercising authority are properly managed without performing unexpected operations by the When referencing, it can be expected that the integrity of the configuration data is protected.
  • the access right (permission) of the security chip when updating the version information or the like in the integrity checking of the OS pre-boot process is executed before the OS boot. It is given to the program and cannot be used from a general AP program after the OS is started. That is, a security chip cannot be used to confirm the integrity of a setting file or the like only by a general AP program executed after the OS is started.
  • an information processing apparatus includes information and setting related to a verification key for verifying a digital signature of a setting file from a storage unit of a security module having tamper resistance.
  • a setting file verification unit that obtains ID information of a file, and executes, by an application program, a process of verifying the integrity of the setting data of the setting file by using the obtained information on the verification key and the ID information;
  • a setting file version verifying unit that executes a process of verifying a setting version of the setting file by the application program, using the obtained registered version information, and a setting version of the setting file; Registered version information There and having a setting file version update unit that updates when a predetermined condition is satisfied, the registration version information to the version of the configuration version.
  • the verification method of the present invention is a verification method executed by an information processing apparatus, and includes information and setting related to a verification key for verifying a digital signature of a setting file from a storage unit of a tamper-resistant security module.
  • the verification program of the present invention obtains information on a verification key for verifying a digital signature of a configuration file and ID information of the configuration file from a storage unit of a security module having tamper resistance, and obtains the verification key.
  • FIG. 1 is a diagram illustrating an example of a configuration of a system according to the first embodiment.
  • FIG. 2 is a diagram illustrating an example of information included in the setting file.
  • FIG. 3 is a diagram illustrating an example of information included in the public key / ID information.
  • FIG. 4 is a flowchart illustrating a setting file use process performed by the information processing apparatus according to the first embodiment.
  • FIG. 5 is a flowchart illustrating a setting file update process performed by the information processing apparatus according to the first embodiment.
  • FIG. 6 is a flowchart illustrating an AP program activation process performed by the information processing apparatus according to the first embodiment.
  • FIG. 7 is a flowchart illustrating a setting file recording process performed by the information processing apparatus according to the first embodiment.
  • FIG. 1 is a diagram illustrating an example of a configuration of a system according to the first embodiment.
  • FIG. 2 is a diagram illustrating an example of information included in the setting file.
  • FIG. 3 is a diagram
  • FIG. 8 is a flowchart illustrating a public key / ID information update process performed by the information processing apparatus according to the first embodiment.
  • FIG. 9 is a diagram for explaining an operation cycle in the information processing device according to the first embodiment.
  • FIG. 10 is a diagram illustrating a computer that executes a verification program.
  • FIG. 1 is a diagram illustrating an example of a configuration of a system according to the first embodiment.
  • the system according to the first embodiment includes an information processing device 10 and a management device 20. It should be noted that the number of devices shown in FIG. 1 is merely an example, and the present invention is not limited to this. For example, the information processing device 10 and the management device 20 may be configured by one device.
  • the information processing device 10 has one or more AP programs 11 mounted thereon.
  • the information processing apparatus 10 includes a security module 12 (for example, TPM or the like) having tamper resistance.
  • the information processing apparatus 10 includes a device storage unit 13 such as a hard disk and a device control unit 14 such as an operating system.
  • the management device 20 remotely creates a setting file to be input to the AP program 11 by a user having digital signature authority, and transmits the setting file to the information processing device 10. Further, in the management device 20, a user who has an access right to the public key information remotely updates the public key information of the security module. Note that the device configuration may be the same as the information processing device 10.
  • the application program 11 of the information processing device 10 includes a setting file input unit 11a, a setting file verification unit 11b, a setting file version verification unit 11c, a setting file version updating unit 11d, and an AP control unit 11e.
  • the setting file input unit 11a reads a setting file recorded in the device storage unit 13.
  • the data is read from the storage unit of the same device will be described.
  • the data may be obtained via the NW.
  • the setting file verifying unit 11b obtains a public key for verifying a digital signature of the setting file and ID information of the setting file from the security module storage unit 12d, and sets the setting file using the obtained public key and ID information. Performs a process to verify data integrity.
  • the configuration file version verification unit 11c acquires registered version information from the security module storage unit 12d, and executes processing for verifying the configuration version of the configuration file using the acquired registered version information.
  • the setting file version updating unit 11d executes a process of updating the registered version information to the version of the setting version when the setting version and the registered version information of the setting file satisfy a predetermined condition. For example, it is assumed that, as a predetermined condition, when the setting version of the setting file is one version ahead of the registered version information, the registered version is set to be updated (incremented) to the next version, and the following description will be given. I do.
  • the predetermined condition can be set for each information processing device 10 or each AP program 11.
  • the result of the allowed updater can be specified for each information processing device 10 or each AP program 11, and the operator creates version information and a setting file for each information processing device 10 or each AP program 11. And implement unique updates.
  • the predetermined condition is information that can be changed. For example, as a predetermined condition, if the setting version of the setting file is two versions ahead of the registered version information, the setting is changed to allow the update as a result of proper update and update the registered version to the setting version. You may.
  • the AP control unit 11e controls each unit of the AP program 11.
  • the AP control unit 11e permits the use of the setting file only when the integrity of the setting data is OK and the setting version is equal to the registered version.
  • the AP control unit 11e accesses the security module 12 via the device control unit 14.
  • the security module 12 includes an access control unit 12a, a public key / ID information management unit 12b, a registered version management unit 12c, a security module storage unit 12d, and a security module control unit 12e.
  • the access control unit 12a controls access to data in the security module storage unit 12d. Specifically, the access control unit 12a receives an update request for the public key and the ID information stored in the security module storage unit 12d, verifies the authentication password input by the user, and updates the password in accordance with the verification result. Determine whether to allow.
  • the access control unit 12a restricts access to the update operation of the public key and ID information by authentication such as HMAC (Hash-based Message Authentication Code). That is, the access control unit 12a performs a message tampering check and HMAC authentication when remotely updating the public key / ID information.
  • the message is a command for updating public key / ID information (a command argument includes new public key / ID information to be updated).
  • the authentication method is not limited to HMAC authentication.
  • the access control unit 12a does not restrict access with respect to reference to public key and ID information, reference to registered version information, and increment of registered version information.
  • the public key / ID information management unit 12b refers to and updates the public key and ID information. Specifically, when the access control unit 12a determines that the update is permitted, the public key / ID information management unit 12b updates the public key and the ID information stored in the security module storage unit 12d.
  • the registered version management unit 12c references and updates (increments) registered version information.
  • the security module storage unit 12d stores a public key, ID information, and registered version information.
  • the security module storage unit 12d stores an authentication password for updating a public key and ID information.
  • the security module control unit 12e controls the above-described units of the security module 12.
  • the device storage unit 13 stores a setting file.
  • the access right of the OS can be set in the setting file.
  • the device control unit 14 controls the above units and communicates with the management device 20.
  • the device control unit 14 records, in the device storage unit 13, a setting file created separately in the management device 20 for each application.
  • the information processing apparatus 10 uses the security module 12 having the access control function and the data protection function independent of the OS, the integrity of the setting file can be confirmed without depending on the authority setting for the OS.
  • the management device 20 includes a setting file creation unit 21, a setting file transmission unit 22, a public key / ID information registration unit 23, and a control unit 24.
  • the setting file creating unit 21 has a function and a user interface for creating separate setting files for one or more AP programs 11 of one or more information processing apparatuses 10.
  • the setting file creation unit 21 also has a function of managing a secret key for generating a digital signature and performing user authentication.
  • the setting file creating unit 21 can, for example, collectively apply a single digital signature to separate and plural setting files.
  • the setting file transmitting unit 22 transmits the setting file to one or more information processing apparatuses 10.
  • the public key / ID information registration unit 23 updates the public key / ID information of the security module 12 via the device control unit 14 of the information processing device 10.
  • the public key / ID information registration unit 23 also includes an HMAC creation function for HMAC authentication.
  • the control unit 24 controls each of the above units, and performs communication with the information processing device 10.
  • the setting file is a file including setting data, a setting file ID, a setting version, and a digital signature as constituent elements.
  • the setting data is data (contents) read by the AP program.
  • the setting data can be uniquely identified by the setting file ID and the setting version.
  • the setting file ID is a type of the setting file unique to the information processing apparatus 10 and the AP program 11. Note that there may be a plurality of versions of a configuration file having the same configuration file ID.
  • the setting version is information for identifying the version of the setting file having the same setting file ID.
  • the format of the version information matches the format of the registered version information.
  • the digital signature is a digital signature based on a public key cryptosystem (such as an RSA algorithm) for information including setting data, a setting file ID, and a setting version.
  • the public key and ID information (public key / ID information) will be described.
  • the public key / ID information is data necessary for verifying the digital signature of the setting file, and includes registered public key information and registered ID information. This data does not need to be kept secret, but its integrity needs to be protected by the security module 12.
  • the registered public key information is a verification key (public key) of a digital signature of the setting file
  • the registered ID information is a setting data ID of the setting file.
  • the digital signature may be directly verified using the public key information, and the setting data ID may be verified.
  • the present invention is not limited to this.
  • the registered public key information may be a root certificate for verifying a certificate of a verification key (public key) of a digital signature of a setting file.
  • the information may be the data ID of the setting file and the identification ID of the certificate of the verification key (public key) of the digital signature of the setting file.
  • a certificate of a verification key (public key) of the digital signature of the setting file is stored in the device storage unit 13 of the information processing device 10 or the like. Then, first, the digital signature of the setting file is verified using the above certificate, then the above certificate is verified with the root certificate obtained from the security module, and the setting data ID is further verified.
  • the registered version information does not need to be kept secret, but its integrity needs to be protected by a security module.
  • the registered version information uses a calculation result of a one-way operation.
  • TPM 2.0 The following two types defined by TPM 2.0 will be described as main examples, but the present invention is not limited to these.
  • the registered version information includes a counter value (integer value) and a memory index of the counter value
  • the registered version information includes a hash value (sha256, etc.) and a memory index of the hash value
  • the registration version information initial value sets a random value as an old hash value and registers a new hash value. Note that the random number value is secret information, and is not used thereafter, so it is immediately deleted from a memory or the like.
  • FIG. 4 is a flowchart illustrating a setting file use process performed by the information processing apparatus according to the first embodiment.
  • FIG. 5 is a flowchart illustrating a setting file update process performed by the information processing apparatus according to the first embodiment.
  • FIG. 6 is a flowchart illustrating an AP program activation process performed by the information processing apparatus according to the first embodiment.
  • FIG. 7 is a flowchart illustrating a setting file recording process performed by the information processing apparatus according to the first embodiment.
  • FIG. 8 is a flowchart illustrating a public key / ID information update process performed by the information processing apparatus according to the first embodiment.
  • the setting file input unit 11a of the AP program 11 of the information processing device 10 reads a setting file from the device storage unit 13 (Step S101). Then, the setting file verification unit 11b of the AP program 11 acquires the public key / ID information from the security module storage unit 12d (Step S102).
  • the setting file verifying unit 11b of the AP program 11 verifies the digital signature and the setting data ID of the setting file using the registered public key information and the registered ID information (Step S103). Then, as a result of the verification performed by the setting file verification unit 11b, if the verification result is NG (No at Step S104), the process ends. If the result of the verification by the setting file verifying unit 11b is OK (Yes at Step S104), the setting file version verifying unit 11c of the AP program 11 reads the registered version from the security module storage unit 12d. Information is obtained (step S105).
  • the configuration file version verification unit 11c of the AP program 11 verifies the configuration version of the configuration file using the registered version information (Step S106).
  • the setting file version verification unit 11c of the AP program 11 performs verification and finds that the setting version and the registered version do not match (No at Step S107), the process ends.
  • the AP control unit 11e of the AP program 11 reads the read version. It is determined that the setting file has completeness, and the use of the read setting file is permitted (step S108).
  • the setting file input unit 11a of the AP program 11 of the information processing device 10 reads a setting file from the device storage unit 13 (Step S201). Then, the setting file verification unit 11b of the AP program 11 acquires the public key / ID information from the security module storage unit 12d (Step S202).
  • the setting file verification unit 11b of the AP program 11 verifies the digital signature and the setting data ID of the setting file using the registered public key information and the registered ID information (Step S203). Then, as a result of the verification performed by the setting file verification unit 11b, if the verification result is NG (No at Step S204), the process is terminated as it is. If the result of the verification by the setting file verifying unit 11b is OK (Yes at step S204), the setting file version verifying unit 11c of the AP program 11 reads the registered version from the security module storage unit 12d. Information is obtained (step S205).
  • the setting file version verification unit 11c of the AP program 11 verifies the setting version of the setting file using the registered version information (Step S206). Then, as a result of the verification performed by the setting file version verification unit 11c of the AP program 11, if the setting version does not match the registered version +1 (No at Step S207), that is, the setting version is one step ahead of the registered version. If it is not the version, the process is terminated.
  • the setting file version verifying unit 11c of the AP program 11 verifies that the setting version and the registered version +1 match (Yes at Step S207)
  • the setting file version updating unit 11d of the AP program 11 executes the security module
  • the registered version information is incremented by instructing the registered version management unit (step S208).
  • the setting file input unit 11a of the AP program 11 of the information processing device 10 reads a setting file from the device storage unit 13 (Step S301). Then, the setting file verification unit 11b of the AP program 11 acquires the public key / ID information from the security module storage unit 12d (Step S302).
  • the setting file verification unit 11b of the AP program 11 verifies the digital signature and the setting data ID of the setting file using the registered public key information and the registered ID information (Step S303). Then, as a result of the verification performed by the setting file verification unit 11b, if the verification result is NG (No at Step S304), the process ends. If the result of the verification by the setting file verifying unit 11b is OK (Yes at Step S304), the setting file version verifying unit 11c of the AP program 11 sends the registered version from the security module storage unit 12d. Information is acquired (step S305).
  • the configuration file version verification unit 11c of the AP program 11 verifies the configuration version of the configuration file using the registered version information (Step S306). If the setting version and the registered version match as a result of the verification performed by the setting file version verification unit 11c of the AP program 11 (Yes at Step S307), the AP control unit 11e of the AP program 11 reads the read version. It is determined that the setting file has completeness, and the use of the read setting file is permitted (step S308).
  • the setting file version updating unit 11d of the AP program 11 instructs the registered version managing unit of the security module to increment the registered version information (Step S310).
  • the setting file version verification unit 11c of the AP program 11 If the setting version does not match the registered version (No at Step S307), the setting file version verification unit 11c of the AP program 11 If the setting version does not match the registered version +1 as a result of the verification (No at step S309), the process is terminated.
  • the setting file creating unit 21 of the management device 20 creates separate setting files for one or more AP programs 11 of one or more information processing devices 10 ( Step S401). At this time, the setting file creating unit 21 performs user authentication when creating a digital signature.
  • the setting file transmitting unit 22 transmits the setting file to one or more information processing apparatuses 10 (Step S402). Then, the device control unit 14 records the setting file in the device storage unit 13 (Step S403).
  • the public key / ID information registration unit 23 transmits a command for updating the public key / ID information to the security module 12 via the device control unit 14 (Step S501).
  • This command includes an HMAC for authentication, and it is assumed that the user has input an authentication password for creating the HMAC.
  • the access control unit 12a of the security module 12 verifies the HMAC using the authentication password of the public key / ID information stored in the security module storage unit 12d (Step S502). As a result of the verification performed by the access control unit 12a of the security module 12, if the verification result is NG (No at Step S503), the process ends as it is.
  • the public key / ID information management unit 12b of the security module stores the verification in the security module storage unit 12d.
  • the stored public key / ID information is updated (step S504).
  • the user assigns a digital signature to the setting file to which the version information has been assigned, and the AP program 11 verifies the signature with the public key / ID information stored in the security module 12. . Then, the AP program 11 checks the integrity of the version information and the setting file based on the above verification result. Further, by authenticating the user with the authentication password stored in the security module 12, the registration of the public key / ID information is updated.
  • FIG. 9 is a diagram for explaining an operation cycle in the information processing device according to the first embodiment.
  • the operation in the information processing apparatus 10 includes three cycles of operation cycles 1 to 3, which are in an inclusive relationship.
  • the operation cycle 1 is a start and stop cycle of the AP program 11, which is the most frequent.
  • the AP program 11 automatically checks the integrity and version of the configuration file. In addition, it can be executed automatically without a user operation (such as an authentication operation).
  • Operation cycle 2 is a setting file change cycle of the AP program 11 and is less frequent than operation cycle 1.
  • Creation of a setting file involves a user authentication operation for giving a digital signature. For one or more information processing apparatuses 10, it can be executed asynchronously and with one operation with respect to one or more AP programs 11.
  • Asynchronous means that the setting file creation timing for the user and the setting file update timing (increment of the registered version information of the security chip) for the AP program 11 are asynchronous.
  • Operation cycle 3 is a change of public key / ID information, and is less frequent than operation cycle 2 (for example, several years).
  • a user authentication operation for updating the security module / ID information is involved. Synchronous processing is desirable for safe implementation.
  • operations with high frequency can have less user operations, and operations with high frequency of user operations can be less frequent. For this reason, the total operation cost can be sufficiently reduced, and efficient operation is possible even when targeting a large number of devices and a large number of AP programs.
  • the information processing apparatus 10 obtains the public key for verifying the digital signature of the setting file and the ID information of the setting file from the tamper-resistant security module storage unit 12d. Then, using the obtained public key and ID information, the application program 11 executes a process of verifying the integrity of the setting data of the setting file. Then, the information processing device 10 acquires the registered version information from the security module storage unit 12d, and executes a process of verifying the setting version of the setting file using the acquired registered version information by the application program 11. When the setting version and the registered version information of the setting file satisfy the predetermined condition, the information processing apparatus 10 updates the registered version information to the version of the setting version.
  • the access control of the security module 12 is independent of the OS function and independent of the OS function. And tamper resistance as the basis of the determination, and the integrity of the setting data can be appropriately confirmed by the application program without depending on the OS.
  • a route (security hole) through which malware can enter with administrator authority due to user's unauthorized operation or operation error occurs in the system, and if malware enters there, the malware can copy all configuration files with administrator authority Can be tampered with.
  • the AP program 11 of the information processing apparatus 10 can detect falsification of the setting file. That is, it is much more difficult for malware to alter the data in the security module storage unit 12d and the functions of the security module 12 than to alter files and functions on the OS.
  • the verification method of the present invention can be used in any AP program 11 executed on the OS of the information processing device 10 having the security module 12 mounted thereon.
  • the information processing apparatus 10 can confirm, for example, version upgrade to the only setting file version designated by the user.
  • the setting data is uniquely identified by “setting file ID” and “setting version” described in the setting file.
  • “Setting file ID” is a type of the setting file unique to the information processing apparatus 10 and the AP program 11. This is because
  • each component of each device illustrated is a functional concept, and does not necessarily need to be physically configured as illustrated. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or a part thereof may be functionally or physically distributed / arbitrarily divided into arbitrary units according to various loads and usage conditions. Can be integrated and configured. Further, all or any part of each processing function performed by each device can be realized by a CPU and a program analyzed and executed by the CPU, or can be realized as hardware by wired logic.
  • FIG. 10 is a diagram illustrating a computer that executes a verification program.
  • the computer 1000 has, for example, a memory 1010 and a CPU 1020.
  • the computer 1000 has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These components are connected by a bus 1080.
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012.
  • the ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • the hard disk drive interface 1030 is connected to the hard disk drive 1090.
  • the disk drive interface 1040 is connected to the disk drive 1100.
  • a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100.
  • the serial port interface 1050 is connected to, for example, a mouse 1051 and a keyboard 1052.
  • the video adapter 1060 is connected to, for example, the display 1061.
  • the hard disk drive 1090 stores, for example, the OS 1091, the application program 1092, the program module 1093, and the program data 1094. That is, a program that defines each process of the information processing apparatus 10 is implemented as a program module 1093 in which codes executable by a computer are described.
  • the program module 1093 is stored in, for example, the hard disk drive 1090.
  • a program module 1093 for executing the same processing as the functional configuration of the device is stored in the hard disk drive 1090.
  • the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • Data used in the processing of the above-described embodiment is stored as the program data 1094 in the memory 1010 or the hard disk drive 1090, for example. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary and executes them.
  • the program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network or a WAN. Then, the program module 1093 and the program data 1094 may be read from another computer by the CPU 1020 via the network interface 1070.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

La présente invention concerne un dispositif de traitement d'informations (10) qui acquiert, à partir d'une unité de stockage de module de sécurité inviolable (12d), une clé publique pour vérifier une signature numérique d'un fichier de configuration et des informations d'identifiant du fichier de configuration, et exécute un traitement avec un programme d'application (11) pour vérifier l'intégralité des données de configuration dans le fichier de configuration à l'aide des informations d'identifiant et de clé publique acquises. Par ailleurs, le dispositif de traitement d'informations (10) acquiert des informations de version enregistrées à partir de l'unité de stockage de module de sécurité (12d), et exécute un traitement avec le programme d'application (11) pour vérifier la version configurée dans le fichier de configuration à l'aide des informations de version enregistrées acquises. En outre, si la version configurée dans le fichier de configuration et les informations de version enregistrées satisfont une condition prescrite, le dispositif de traitement d'informations (10) met à jour les informations de version enregistrées sur la version de la version configurée.
PCT/JP2019/029907 2018-07-31 2019-07-30 Dispositif de traitement d'informations, programme et procédé de vérification WO2020027159A1 (fr)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP19845230.2A EP3812939B1 (fr) 2018-07-31 2019-07-30 Dispositif de traitement d'informations, programme et procédé de vérification
CN201980049031.7A CN112513849A (zh) 2018-07-31 2019-07-30 信息处理装置、验证方法和验证程序
AU2019313886A AU2019313886B2 (en) 2018-07-31 2019-07-30 Information processing device, verification method and verification program
US17/263,517 US12026258B2 (en) 2018-07-31 2019-07-30 Information processing device, verification method and verification program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018144329A JP6697038B2 (ja) 2018-07-31 2018-07-31 情報処理装置、検証方法および検証プログラム
JP2018-144329 2018-07-31

Publications (1)

Publication Number Publication Date
WO2020027159A1 true WO2020027159A1 (fr) 2020-02-06

Family

ID=69232257

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/029907 WO2020027159A1 (fr) 2018-07-31 2019-07-30 Dispositif de traitement d'informations, programme et procédé de vérification

Country Status (6)

Country Link
US (1) US12026258B2 (fr)
EP (1) EP3812939B1 (fr)
JP (1) JP6697038B2 (fr)
CN (1) CN112513849A (fr)
AU (1) AU2019313886B2 (fr)
WO (1) WO2020027159A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009003853A (ja) * 2007-06-25 2009-01-08 Panasonic Corp 複数のソフトウェアを正しい順番で起動する情報端末およびセキュリティモジュール
JP2014106716A (ja) * 2012-11-27 2014-06-09 Nippon Telegr & Teleph Corp <Ntt> 制御装置、制御システム、制御方法および制御プログラム
JP2017021434A (ja) * 2015-07-07 2017-01-26 キヤノン株式会社 情報処理装置及びその制御方法

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004234641A (ja) * 2003-01-08 2004-08-19 Kddi Corp コンテンツファイル制作者の認証方式およびそのプログラム
EP1659810B1 (fr) * 2004-11-17 2013-04-10 TELEFONAKTIEBOLAGET LM ERICSSON (publ) Mise à jour des paramètres de configuration dans un terminal mobile
CN100578522C (zh) * 2005-06-01 2010-01-06 松下电器产业株式会社 电子设备、用于电子设备的更新方法和集成电路
JP5296960B2 (ja) * 2005-06-17 2013-09-25 日本電気株式会社 ファイルバージョン管理装置
US7958346B2 (en) * 2005-08-18 2011-06-07 Oracle International Corp. Multilayered security for systems interacting with configuration items
US8539229B2 (en) * 2008-04-28 2013-09-17 Novell, Inc. Techniques for secure data management in a distributed environment
US8447989B2 (en) * 2008-10-02 2013-05-21 Ricoh Co., Ltd. Method and apparatus for tamper proof camera logs
US8214654B1 (en) * 2008-10-07 2012-07-03 Nvidia Corporation Method and system for loading a secure firmware update on an adapter device of a computer system
JP5387282B2 (ja) * 2009-09-25 2014-01-15 富士通株式会社 コンテンツ処理装置、コンテンツの部分完全性保証のためのプログラム
CN102014133B (zh) * 2010-11-26 2013-08-21 清华大学 在云存储环境下一种安全存储系统的实现方法
DE102015213412A1 (de) * 2015-07-16 2017-01-19 Siemens Aktiengesellschaft Verfahren und Anordnung zum sicheren Austausch von Konfigurationsdaten einer Vorrichtung
CN106411830B (zh) * 2016-01-25 2019-06-21 平安科技(深圳)有限公司 防止访问数据被篡改的方法及移动终端
US10754988B2 (en) 2016-08-30 2020-08-25 Winbond Electronics Corporation Anti-rollback version upgrade in secured memory chip
CN107894895A (zh) * 2017-11-06 2018-04-10 网易(杭州)网络有限公司 代码更新的处理方法、装置、存储介质、处理器及服务器
EP3489853B1 (fr) * 2017-11-27 2021-02-24 Schneider Electric Industries SAS Procédé permettant de fournir une mise à jour de micrologiciel d'un dispositif
JP7185978B2 (ja) * 2018-07-03 2022-12-08 株式会社ソラコム 認証情報の設定を仲介するための装置及び方法
US10789061B2 (en) * 2018-09-26 2020-09-29 Intel Corporation Processor based component firmware update method and apparatus
GB201902470D0 (en) * 2019-02-22 2019-04-10 Secure Thingz Ltd Security data processing device
EP4287054A1 (fr) * 2022-06-03 2023-12-06 Siemens Aktiengesellschaft Procédé mis en uvre par ordinateur pour la mise à jour d'un code logiciel de sécurité, dispositif matériel informatique, programme informatique et support lisible par ordinateur

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009003853A (ja) * 2007-06-25 2009-01-08 Panasonic Corp 複数のソフトウェアを正しい順番で起動する情報端末およびセキュリティモジュール
JP2014106716A (ja) * 2012-11-27 2014-06-09 Nippon Telegr & Teleph Corp <Ntt> 制御装置、制御システム、制御方法および制御プログラム
JP2017021434A (ja) * 2015-07-07 2017-01-26 キヤノン株式会社 情報処理装置及びその制御方法

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
FILE AND FOLDER PERMISSIONS, 18 July 2018 (2018-07-18), Retrieved from the Internet <URL:https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2000/bb727008(v=technet.10>
See also references of EP3812939A4
TPM USAGE, 18 July 2018 (2018-07-18), Retrieved from the Internet <URL:https://www.chromium.org/developers/design-documents/tpm-usage>

Also Published As

Publication number Publication date
EP3812939B1 (fr) 2023-01-25
AU2019313886A1 (en) 2021-02-11
US12026258B2 (en) 2024-07-02
JP2020021270A (ja) 2020-02-06
JP6697038B2 (ja) 2020-05-20
AU2019313886B2 (en) 2022-04-21
EP3812939A1 (fr) 2021-04-28
US20210232689A1 (en) 2021-07-29
CN112513849A (zh) 2021-03-16
EP3812939A4 (fr) 2022-03-23

Similar Documents

Publication Publication Date Title
US11503030B2 (en) Service processor and system with secure booting and monitoring of service processor integrity
US11176255B2 (en) Securely booting a service processor and monitoring service processor integrity
US9436827B2 (en) Attesting a component of a system during a boot process
US8122256B2 (en) Secure bytecode instrumentation facility
US8171295B2 (en) Information processing apparatus, a server apparatus, a method of an information processing apparatus, a method of a server apparatus, and an apparatus executable process
US9288155B2 (en) Computer system and virtual computer management method
KR101190479B1 (ko) 티켓 인증 보안 설치 및 부트
WO2020063001A1 (fr) Procédé et dispositif de gestion de micrologiciel de système d&#39;entrée et de sortie de base, et serveur
US20110246778A1 (en) Providing security mechanisms for virtual machine images
US8984296B1 (en) Device driver self authentication method and system
KR20080008361A (ko) 소프트웨어 기반 보안 코프로세서를 제공하는 방법, 장치및 처리 시스템
TWI720313B (zh) 基本輸入輸出系統活動之本地監督及供應
KR102474040B1 (ko) 초기 컴퓨터 운영체제 설정 옵션의 원격 관리
KR20190062797A (ko) 클라우드 서비스를 사용하는 사용자 단말기, 단말기의 보안 통합 관리 서버 및 단말기의 보안 통합 관리 방법
KR102089435B1 (ko) 안전한 usb 장치를 보장하는 부트 방법
JP6697038B2 (ja) 情報処理装置、検証方法および検証プログラム
KR102369874B1 (ko) 무결성 검증 대상 디바이스에 대한 os 및 무결성 정보의 통합 업데이트 방법 및 원격 검증 시스템, os 배포 서버 및 무결성 검증 대상 디바이스
Zimmer Platform Trust Beyond BIOS Using the Unified Extensible Firmware Interface.
US11971991B2 (en) Information processing apparatus, control method for controlling the same and storage medium
US20230106491A1 (en) Security dominion of computing device
US20240037216A1 (en) Systems And Methods For Creating Trustworthy Orchestration Instructions Within A Containerized Computing Environment For Validation Within An Alternate Computing Environment
JP2009010911A (ja) 認証システムおよび装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19845230

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019845230

Country of ref document: EP

Effective date: 20210119

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2019313886

Country of ref document: AU

Date of ref document: 20190730

Kind code of ref document: A